symantecTM

symantec security response

ISSN 1444-9994

April 2003 Newsletter


These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.

Country Spotlight
Belgium

W32.Klez.H@mm

Trojan Horse

IRC Trojan

Swporta.Trojan

W32.Lirva.A@mm

W95.Hybris.worm
Backdoor.Dvldr
W32.Kwbot.C.Worm

W32.Bugbear@mm

Backdoor.Sdbot



Top Global Threats

W32.Klez.H@mm
Trojan Horse

HTML.Redlof.A

Backdoor.Dvldr
IRC Trojan
JS.Exception.Exploit

W95.Hybris.worm

W95.Spaces.1445

W32.Funlove.4099



Asia Pacific
HTML.Redlof.A
W32.Klez.H@mm
JS.Exception.Exploit

W32.HLLW.Lovgate.G@mm

Trojan Horse
Backdoor.Dvldr
W95.Hybris.worm
IRC Trojan
W32.Funlove.4099


Europe, Middle
East & Africa
W32.Klez.H@mm

Trojan Horse
HTML.Redlof.A
JS.Exception.Exploit

Backdoor.Dvldr
IRC Trojan

W95.Spaces.1445

W95.Hybris.worm

W32.Nimda.E@mm

Japan
W32.Klez.H@mm

Backdoor.Dvldr
HTML.Redlof.A

W32.Weird

Trojan Horse

IRC Trojan

W32.HLLW.Deloder

W95.Hybris.worm

W32.Klez.E@mm

W32.Nimda.E@mm

The Americas
W32.Klez.H@mm
Trojan Horse

IRC Trojan

Backdoor.Dvldr
W95.Hybris.worm
S.Exception.Exploit

W32.HLLP.Handy

W95.Spaces.1445
W32.Pinfi




Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.

 

This month we have a very interesting article 'Convenient, Useful and Insecure – Wireless Enablement ' by Jason Conyard, Symantec's Director, Wireless Product Management. Jason has spent many years researching wireless security issues and the solutions and has an in depth understanding of issues in this area.

Symantec Security Response is making it's Security Alerts available to other web sites, to include these alerts on your web site go to the following page to configure a script that you can copy and paste directly into your own html page.

http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi

On May 1, 2003, revised standards for use of the EICAR test file will go into effect. The test file is not mailcious and does not replicate, it is often used to test anti-virus installations. The first 68 characters will be the string to scan for in the file.  It may be appended by any combination of white space characters with the total file length not exceeding 128 characters. The only white space characters allowed are the space character, tab, LF, CR, CTRL-Z.  

The EICAR web site will be updated with the new standard on May 1st.

http://www.eicar.org/

I expect it will be a while before all anti-virus products enable detection for the new standard, there is no cause for alarm if a particular product does not detect the new test file(s).

The May edition of the newsletter will contain a link to a web based questionnaire about this publication. There are only 10-12 questions and I would encourage you to spend 5 minutes to participate so that we can ensure future editions of the Symantec Security Response Newsletter continue to be relevant and of interest to you.

Best Regards

David Banes.
Editor, Symantec Security Response Newletter.

Useful Links

Microsoft Windows 2000 WebDAV / ntdll.dll Buffer Overflow Vulnerability
http://securityresponse.symantec.com/avcenter/security/Content/3.17.2003.html

All versions of Windows 2000, except Japanese NEC patch.

Windows 2000 Japanese NECE version patch.

Viruses, Worms & Trojans

Trojan.Linux.JBellz
Aliases:
Risk: Low [1]    
Date: January 14th 2003    
Platforms Affected:
Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX.
 
Overview
The Trojan.Linux.JBellz Trojan horse arrives as a malformed .mp3 file. When the .mp3 file is played with a specific version of the mpg123 player under Linux, the code of the Trojan horse is executed; thereby, deleting all the files in the home directory of the current user.
       
References
http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.jbellz.html
 

W32.Hawawi.Worm

Aliases:
Risk:Low [2]    
Date: March 19th 2003    
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
 
Overview

W32.Hawawi.Worm is a worm that spreads through email using its own SMTP server, ICQ, Yahoo Messenger, PalTalk, and KaZaA. The email message has one of many different Subject lines, such as:

  • '''*< Love Speaks it all >*'''
  • Co0o0o0o0oL
  • Fw:
  • Heeeeeeeeeeeeeeeey
  • Wussaaaaaaaap?
  • WoW But not for NoW
The messages have an attachment with a .pif extension, usually Hawawi.pif.

W32.Hawawi.Worm has a payload of overwriting all the files that have the following extensions, with zero-byte files: mpeg, rm, wav, sql, mde, php, cpp, swf, ram, mp3, frm, dpr, rar, mpg, jpg, pdf, pps, ppt, txt, htm, html, zip, doc, mdb, xls.
       
References
http://securityresponse.symantec.com/avcenter/venc/data/w32.hawawi.worm.html
 
Credit
by: Douglas Knowles

Security Advisories

Oracle E-Business Suite RRA/FNDFS Arbitrary File Disclosure Vulnerability
Risk:High
Date:11th April 2003
Components Affected
Oracle Applications 10.7, 11.0
Oracle E-Business Suite 10.7, 11.0, 11.1 to 11.8
 
Description
Oracle E-Business suite RRA/FNDFS server has been reported prone to an arbitrary file disclosure vulnerability.

The Oracle FNDFS server is used in usual circumstances, by Oracle utilities, to retrieve and extract report data from Concurrent Manager server. It has been reported that FNDFS may be used by an attacker to reveal the contents of arbitrary files located on the vulnerable system that are readable by 'oracle' or 'applmgr' user accounts.

Sensitive information obtained in this manner may be used in further attacks launched against the vulnerable system.
 

References 

Source: Integrigy OracleDB Listener Security
URL: http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf

Source: Oracle E-Business Suite FNDFS Vulnerability
URL: http://www.integrigy.com/alerts/FNDFS_Vulnerability.htm

Source: Oracle Homepage
URL: http://www.oracle.com/index.html

Source: Oracle Security Alert #53
URL: http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf
http://www.sarc.com/avcenter/security/Content/7325.html

Credits
Discovery of this vulnerability has been credited to Stephen Kost of Integrigy Corporation.
 

Snort TCP Packet Reassembly Integer Overflow Vulnerability
Risk:High
Date:15th April 2003

Platforms Affected

Conectiva Linux 8.0
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc3


Components Affected
SmoothWall SmoothWall 2.0 beta 4
Snort Project Snort 1.8 - 1.8.7
Snort Project Snort 1.9 - 1.9.1

 
Description
A vulnerability has been discovered in Snort. The problem occurs during the reassembly of TCP packets by the stream4 preprocesser. By sending specially crafted fragmented packets across a network monitored by Snort, it may be possible to trigger an integer overflow. As a result, a buffer overflow may occur, effectively allowing a remote attacker to corrupt heap memory.

Successful exploitation of this issue could allow a remote attacker to execute arbitrary code on a target system.

This issue effects Snort releases prior to Snort 2.0 RC1.
 
Recommendations
Run all server processes as non-privileged users with minimal access rights.
Configure Snort to run with the least privileges necessary whenever possible. This may limit the consequences of an attacker executing arbitrary code on a target system.

Implement multiple redundant layers of security.
The exploitability of this issue to execute arbitrary code may be hindered through the use of various memory protection schemes. Where permissible, implement the use of non-executable and randomly mapped memory pages.

Implement multiple redundant layers of security.
Where possible, implement multiple layers of network security. This may limit the consequences of a network sensor or firewall from being made unavailable.

While NetBSD does not include Snort by default, Snort is available through pkgsrc. NetBSD users who have installed Snort packages should use pkgsrc/security/audit-packages to apply upgrades.

This issue is addressed in Snort 2.0. Users are advised to upgrade.
References

Source: CERT CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors
URL: http://online.securityfocus.com/advisories/5302

Source: CORE CORE-2003-0307 Snort TCP Stream Reassembly Integer Overflow Vulnerability
URL: http://online.securityfocus.com/advisories/5294

Source: Bug 2.0b4-mallard 005
URL: http://smoothwall.org/beta/bugs/mallard-006.html

Source: Snort Homepage
URL: http://www.snort.org/

Credits
Discovery of this issue is credited to Bruce Leidl, Juan Pablo Martinez Kuhn and Alejandro David Weil from Core Security Technologies.
 

Security News

Convenient, Useful and Insecure – Wireless Enablement

by Jason R. Conyard, Director, Wireless Product Management.

Last months announcement from Intel regarding their investment into 802.11 is just the latest press release in what has become one of hottest technologies to be seen, and more importantly adopted, for some time.   

Handheld (PDAs) have become common both at home and increasingly in the office.   With devices of just about every conceivable size, shape, function and price available, it appears these once high-end gadgets are here to stay.   As people become more comfortable with creating, storing and sharing information on handhelds their value and dependability increases in importance.   Being able to maintain the integrity of the device, its data and the access it potentially has to other systems becomes critical.

It is estimated that in 2002 alone more then 25 million wireless LAN, 802.11, chipsets where sold(1), this is despite significant publicity about inherent weaknesses in the standards security.   Even when basic methods are available to secure wireless LANs, they are rarely employed, often leaving the wireless network available to anyone and everyone.  

Bluetooth, the Personal Area Networking (PAN), radio technology allowing desktop wires to be replaced with wireless connections is finally seeing adoption.   In fact Bluetooth chip sales of an estimated 35 million out pacing those of 802.11 for 2002 (2), which likely indicates a significant increase in embedded connectivity in consumer electronics in mid-2003.

The convergence of mobile computing with wireless communication is providing opportunities that have for the longest time been the sole domain of science fiction. They also present significant security challenges to both individuals and organizations.   There has been much debate about security threats to ‘wireless’ and there are, as noted above, certainly reasons to pause before jumping in with both feet and committing financially.   It is, however, extremely important to remember that the largest area of concern continues to come from the traditional wired infrastructure.   

Whether for a home PC or a global IT enterprise, servers, gateway and desktops need to be maintained and updated to run the latest patches and security solutions.   Firewall and antivirus software should run their latest definitions to ensure maximum protection.

This is not to suggest that Wireless LANs cannot be deployed or that handhelds should not be used, but before they are a total view must be given to how these technologies will be used, what systems they will interact with, what risks exist and how they will be secured.

(1) Source: Gartner.

(2) Source: IN-Stat/MDR.

 
 

Contacts and Subscriptions:
Follow this link to subscribe or unsubscribe
http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html

Send virus samples to: avsubmit@symantec.com

Symantec, the Symantec logo, [registered trademarks in alphabetical order] are U.S. registered trademarks of Symantec Corporation. [Common law trademarks in alphabetical order] are trademarks of Symantec Corporation.

Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s). 

Copyright © 2003 Symantec Corporation. All rights reserved. Printed in Australia.March 2003.